Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent use-after-free bugs in object variants. Fixes bug #20305 #20300

Merged
merged 1 commit into from
Sep 5, 2022
Merged

Prevent use-after-free bugs in object variants. Fixes bug #20305 #20300

merged 1 commit into from
Sep 5, 2022

Conversation

planetis-m
Copy link
Contributor

@planetis-m planetis-m commented Sep 3, 2022
edited
Loading

No description provided.

@planetis-m
prevent use-after-free bugs in cased objects
f1a86f5 
the bug happens specifically when deleting
an item in a seq. The item taking it's place
might not have the same case fields. Then =sink(x[i], move x[xl])
might leave the deleted fields still in memory!
If the new item switches branches again, you get a use-after-free bug.
@planetis-m planetis-m mentioned this pull request Sep 3, 2022
Closed
@planetis-m
Copy link
Contributor Author

planetis-m commented Sep 3, 2022
edited
Loading

The alternative solution is to turn discriminant destructor into a sink that resets the memory of cased fields AFTER instead of before assigning the discriminant.

@planetis-m planetis-m changed the title Prevent use-after-free bugs in cased objects. Prevent use-after-free bugs in object variants. Sep 4, 2022
@planetis-m planetis-m changed the title Prevent use-after-free bugs in object variants. Prevent use-after-free bugs in object variants. Fixes bug #20305 Sep 4, 2022
@planetis-m planetis-m mentioned this pull request Sep 4, 2022
Closed
@Varriount Varriount requested a review from Araq September 4, 2022 18:52
@Varriount Varriount added the Requires Araq To Merge PR should only be merged by Araq label Sep 4, 2022
@Araq Araq merged commit 8dcf367 into nim-lang:devel Sep 5, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2022

Thanks for your hard work on this PR!
The lines below are statistics of the Nim compiler built from 8dcf367

Hint: mm: orc; threads: on; opt: speed; options: -d:release
164031 lines; 15.577s; 842.488MiB peakmem

narimiran pushed a commit that referenced this pull request Sep 6, 2022
@planetis-m @narimiran
Prevent use-after-free bugs in object variants. Fixes bug #20305 (#20300
8923e34 
) [backport]

prevent use-after-free bugs in cased objects

the bug happens specifically when deleting
an item in a seq. The item taking it's place
might not have the same case fields. Then =sink(x[i], move x[xl])
might leave the deleted fields still in memory!
If the new item switches branches again, you get a use-after-free bug.

(cherry picked from commit 8dcf367)
@planetis-m planetis-m mentioned this pull request Dec 28, 2022
Closed
capocasa pushed a commit to capocasa/Nim that referenced this pull request Mar 31, 2023
@planetis-m @capocasa
Prevent use-after-free bugs in object variants. Fixes bug nim-lang#20305
2376cfe 
 (nim-lang#20300) [backport]

prevent use-after-free bugs in cased objects

the bug happens specifically when deleting
an item in a seq. The item taking it's place
might not have the same case fields. Then =sink(x[i], move x[xl])
might leave the deleted fields still in memory!
If the new item switches branches again, you get a use-after-free bug.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Araq Araq Awaiting requested review from Araq

Assignees
No one assigned
Labels
Requires Araq To Merge PR should only be merged by Araq
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@planetis-m @Araq @Varriount